The Difference Between a Virus, Worm and Trojan Horse
The most common blunder people make when the topic of a computer virus
arises is to refer to a worm or Trojan horse as a virus. While the words Trojan, worm and virus are often used interchangeably, they are not the same. Viruses, worms and Trojan
Horses are all malicious programs that can cause damage to your computer, but there are differences among the three, and knowing those differences can help you to better protect your computer from
their often damaging effects.
A computer virus attaches itself to a program or file so it can spread from one computer
to another, leaving infections as it travels. Much like human viruses, computer viruses can range in severity: Some viruses
cause only mildly annoying effects while others can damage your hardware, software or files. Almost all viruses are attached to an executable file, which means the virus may exist on your computer but it cannot infect your computer unless you run or open the malicious
program. It is important to note that a virus cannot be spread without a human action, (such as running an infected program)
to keep it going. People continue the spread of a computer virus, mostly unknowingly, by sharing infecting files or
sending e-mails with viruses as attachments in the e-mail.
A worm is similar to a virus by its design, and is considered to be a sub-class of
a virus. Worms spread from computer to computer, but unlike a virus, it has the capability to travel without any help from
a person. A worm takes advantage of file or information transport features on your system, which allows it to travel unaided.
The biggest danger with a worm is its capability to replicate itself on your system, so rather than your computer sending
out a single worm, it could send out hundreds or thousands of copies of itself, creating a huge devastating effect. One example
would be for a worm to send a copy of itself to everyone listed in your e-mail address book. Then, the worm replicates and
sends itself out to everyone listed in each of the receiver's address book, and the manifest continues on down the line. Due
to the copying nature of a worm and its capability to travel across networks the end result in most cases is that the worm
consumes too much system memory (or network bandwidth), causing Web servers, network servers and individual computers to stop responding. In more recent worm attacks such as the much-talked-about .Blaster
Worm., the worm has been designed to tunnel into your system and allow malicious users to control your computer remotely.
|
Key Terms To Understanding Computer
Viruses:
virus A program or piece of code that is loaded onto your computer without your knowledge and runs against your wishes.
Trojan Horse A destructive program that masquerades as a benign application. Unlike viruses, Trojan horses do not replicate themselves
worm A program or algorithm that replicates itself over a computer network and usually performs malicious actions
blended threat Blended threats combine the characteristics of viruses, worms, Trojan Horses, and malicious code with server and Internet
vulnerabilities .
antivirus program A utility that searches a hard disk for viruses and removes any that are found. |
A Trojan Horse is full of as much trickery as the mythological Trojan Horse it
was named after. The Trojan Horse, at first glance will appear to be useful software but will actually do damage once installed
or run on your computer. Those on the receiving end of a Trojan Horse are usually tricked into opening them because
they appear to be receiving legitimate software or files from a legitimate source. When a Trojan is activated on your
computer, the results can vary. Some Trojans are designed to be more annoying than malicious (like changing your desktop,
adding silly active desktop icons) or they can cause serious damage by deleting files and destroying information on your system.
Trojans are also known to create a backdoor on your computer that gives malicious users access to your system, possibly allowing confidential or personal information
to be compromised. Unlike viruses and worms, Trojans do not reproduce by infecting other files nor do they self-replicate.
Added into the mix, we also have what is called a blended threat. A blended threat
is a sophisticated attack that bundles some of the worst aspects of viruses, worms, Trojan horses and malicious code into
one threat. Blended threats use server and Internet vulnerabilities to initiate, transmit and spread an attack. This combination
of method and techniques means blended threats can spread quickly and cause widespread damage. Characteristics of blended
threats include: causes harm, propagates by multiple methods, attacks from multiple points and exploits vulnerabilities.
To be considered a blended thread, the attack would normally serve to transport multiple attacks
in one payload. For examplem it wouldn't just launch a DoS attack — it would also install a backdoor and damage a local
system in one shot. Additionally, blended threats are designed to use multiple modes of transport. For example, a worm may
travel through e-mail, but a single blended threat could use multiple routes such as e-mail, IRC and file-sharing sharing
networks. The actual attack itself is also not limited to a specific act. For example, rather than a specific attack on predetermined
.exe files, a blended thread could modify exe files, HTML files and registry keys at the same time — basically it can
cause damage within several areas of your network at one time.
Blended threats are considered to be the worst risk to security since the inception of viruses,
as most blended threats require no human intervention to propagate.
Combating Viruses, Worms and Trojan Horses
The first steps to protecting your computer are to ensure your operating system (OS) is up-to-date. This is essential if you are running a Microsoft Windows OS. Secondly, you should have anti-virus software installed on your system and ensure you download updates frequently to ensure your software has the latest fixes for new viruses, worms, and Trojan horses. Additionally,
you want to make sure your anti-virus program has the capability to scan e-mail and files as they are downloaded from the
Internet. This will help prevent malicious programs from even reaching your computer. You should also install a firewall as well.
A firewall is a system that prevents unauthorized use and access to your computer. A firewall can
be either hardware or software. Hardware firewalls provide a strong degree of protection from most forms of attack coming
from the outside world and can be purchased as a stand-alone product or in broadband
routers. Unfortunately, when battling viruses, worms and Trojans, a hardware firewall
may be less effective than a software firewall, as it could possibly ignore embedded worms in out going e-mails and see this
as regular network traffic. For individual home users, the most popular firewall choice is a software firewall. A good
software firewall will protect your computer from outside attempts to control or gain access your computer, and usually provides
additional protection against the most common Trojan programs or e-mail worms. The downside to software firewalls is that they will only protect the computer they are installed
on, not a network.
It is important to remember that on its own a firewall is not going to rid you of your computer
virus problems, but when used in conjunction with regular operating system updates and a good anti-virus scanning software,
it will add some extra security and protection for your computer or network.
Did You Know... CodeRed, a blended threat, launched DoS attacks, defaced
Web servers, and its variant, CodeRed II, left Trojan horses behind for later execution. CodeRed was processed in memory —
not on a hard disk — allowing it to slip past some anti-virus products. Computer Economics has estimated the worldwide
cost of CodeRed at $2.62 billion dollars. [Source: Symantec Web site] | |
How Firewalls WorkIf you
have been using the Internet for any length of time, and especially if you work at a larger company and browse the Web while
you are at work, you have probably heard the term firewall used. For example, you often hear people in companies say
things like, "I can't use that site because they won't let it through the firewall."
If you have a fast Internet connection into your home (either a DSL connection or a cable modem), you may have found yourself hearing about firewalls for your home network as well. It turns out that a small home network has many of the same security issues that a large corporate network does.
You can use a firewall to protect your home network and family from offensive Web sites and potential hackers.
Basically, a firewall is a barrier to keep destructive forces away from your property. In fact, that's why its called a
firewall. Its job is similar to a physical firewall that keeps a fire from spreading from one area to the next. As you read
through this article, you will learn more about firewalls, how they work and what kinds of threats they can protect you from.
What It Does
A firewall is simply a program or hardware device that filters the information coming through the Internet connection into
your private network or computer system. If an incoming packet of information is flagged by the filters, it is not allowed through.
If you have read the article How Web Servers Work, then you know a good bit about how data moves on the Internet, and you can easily see how a firewall helps protect computers
inside a large company. Let's say that you work at a company with 500 employees. The company will therefore have hundreds
of computers that all have network cards connecting them together. In addition, the company will have one or more connections
to the Internet through something like T1 or T3 lines. Without a firewall in place, all of those hundreds of computers are
directly accessible to anyone on the Internet. A person who knows what he or she is doing can probe those computers, try to
make FTP connections to them, try to make telnet connections to them and so on. If one employee makes a mistake and leaves
a security hole, hackers can get to the machine and exploit the hole.
With a firewall in place, the landscape is much different. A company will place a firewall at every connection to the Internet
(for example, at every T1 line coming into the company). The firewall can implement security rules. For example, one of the
security rules inside the company might be:
Out of the 500 computers inside this company, only one of them is permitted to receive public FTP traffic. Allow FTP connections
only to that one computer and prevent them on all others.
A company can set up rules like this for FTP servers, Web servers, Telnet servers and so on. In addition, the company can
control how employees connect to Web sites, whether files are allowed to leave the company over the network and so on. A firewall
gives a company tremendous control over how people use the network.
Firewalls use one or more of three methods to control traffic flowing in and out of the network:
- Packet filtering - Packets (small chunks of data) are analyzed against a set of filters. Packets that make
it through the filters are sent to the requesting system and all others are discarded.
- Proxy service - Information from the Internet is retrieved by the firewall and then sent to the requesting system
and vice versa.
- Stateful inspection - A newer method that doesn't examine the contents of each packet but instead compares certain
key parts of the packet to a database of trusted information. Information traveling from inside the firewall to the outside
is monitored for specific defining characteristics, then incoming information is compared to these characteristics. If the
comparison yields a reasonable match, the information is allowed through. Otherwise it is discarded.
Making the Firewall FitFirewalls are customizable. This means that you can add or remove filters based on several
conditions. Some of these are:
Some operating systems
come with a firewall built in. Otherwise, a software firewall can be installed on the computer in your home that has an Internet
connection. This computer is considered a gateway because it provides the only point of access between your home network and the Internet.
With a hardware firewall, the firewall unit itself is normally the gateway. A good example is the Linksys Cable/DSL router.
It has a built-in Ethernet card and hub. Computers in your home network connect to the router, which in turn is connected to either a cable or DSL modem. You configure the router via a Web-based interface that you reach through the browser on your computer. You can then
set any filters or additional information.
Hardware firewalls are incredibly secure and not very expensive. Home versions that include a router, firewall and Ethernet hub for broadband connections
What It Protects You From
There are many creative ways that unscrupulous people use to access or abuse unprotected computers:
- Remote login - When someone is able to connect to your computer and control it in some form. This can range from
being able to view or access your files to actually running programs on your computer.
- Application backdoors - Some programs have special features that allow for remote access. Others contain bugs that
provide a backdoor, or hidden access, that provides some level of control of the program.
- SMTP session hijacking - SMTP is the most common method of sending e-mail over the Internet. By gaining access to a list of e-mail addresses, a person can send unsolicited junk e-mail (spam)
to thousands of users. This is done quite often by redirecting the e-mail through the SMTP server of an unsuspecting host,
making the actual sender of the spam difficult to trace.
- Operating system bugs - Like applications, some operating systems have backdoors. Others provide remote access with insufficient security controls or have bugs that an experienced hacker
can take advantage of.
- Denial of service - You have probably heard this phrase used in news reports on the attacks on major Web sites.
This type of attack is nearly impossible to counter. What happens is that the hacker sends a request to the server to connect
to it. When the server responds with an acknowledgement and tries to establish a session, it cannot find the system that made
the request. By inundating a server with these unanswerable session requests, a hacker causes the server to slow to a crawl
or eventually crash.
- E-mail bombs - An e-mail bomb is usually a personal attack. Someone sends you the same e-mail hundreds or thousands
of times until your e-mail system cannot accept any more messages.
- Macros - To simplify complicated procedures, many applications allow you to create a script of commands that the
application can run. This script is known as a macro. Hackers have taken advantage of this to create their own macros that,
depending on the application, can destroy your data or crash your computer.
- Viruses - Probably the most well-known threat is computer viruses. A virus is a small program that can copy itself to other computers. This way it can spread quickly from one system to the
next. Viruses range from harmless messages to erasing all of your data.
- Spam - Typically harmless but always annoying, spam is the electronic equivalent of junk mail. Spam can be dangerous
though. Quite often it contains links to Web sites. Be careful of clicking on these because you may accidentally accept a
cookie that provides a backdoor to your computer.
- Redirect bombs - Hackers can use ICMP to change (redirect) the path information takes by sending it to a different
router. This is one of the ways that a denial of service attack is set up.
- Source routing - In most cases, the path a packet travels over the Internet (or any other network) is determined
by the routers along that path. But the source providing the packet can arbitrarily specify the route that the packet should
travel. Hackers sometimes take advantage of this to make information appear to come from a trusted source or even from inside
the network! Most firewall products disable source routing by default.
Some of the items in the list above are hard, if not impossible, to filter using a firewall. While some firewalls offer
virus protection, it is worth the investment to install anti-virus software on each computer. And, even though it is annoying,
some spam is going to get through your firewall as long as you accept e-mail.
The level of security you establish will determine how many of these threats can be stopped by your firewall. The highest
level of security would be to simply block everything. Obviously that defeats the purpose of having an Internet connection.
But a common rule of thumb is to block everything, then begin to select what types of traffic you will allow. You can also
restrict traffic that travels through the firewall so that only certain types of information, such as e-mail, can get through.
This is a good rule for businesses that have an experienced network administrator that understands what the needs are and
knows exactly what traffic to allow through. For most of us, it is probably better to work with the defaults provided by the
firewall developer unless there is a specific reason to change it.
One of the best things about a firewall from a security standpoint is that it stops anyone on the outside from logging
onto a computer in your private network. While this is a big deal for businesses, most home networks will probably not be
threatened in this manner. Still, putting a firewall in place provides some peace of mind
Proxy Servers and DMZ
A function that is often combined with a firewall is a proxy server. The proxy server is used to access Web pages by the other computers. When another computer requests a Web page, it is retrieved by the proxy server and then sent to the
requesting computer. The net effect of this action is that the remote computer hosting the Web page never comes into direct
contact with anything on your home network, other than the proxy server.
Proxy servers can also make your Internet access work more efficiently. If you access a page on a Web site, it is cached
(stored) on the proxy server. This means that the next time you go back to that page, it normally doesn't have to load again
from the Web site. Instead it loads instantaneously from the proxy server.
There are times that you may want remote users to have access to items on your network. Some examples are:
- Web site
- Online business
- FTP download and upload area
In cases like this, you may want to create a DMZ (Demilitarized Zone). Although this sounds pretty serious, it really
is just an area that is outside the firewall. Think of DMZ as the front yard of your house. It belongs to you and you may
put some things there, but you would put anything valuable inside the house where it can be properly secured.
Setting up a DMZ is very easy. If you have multiple computers, you can choose to simply place one of the computers between
the Internet connection and the firewall. Most of the software firewalls available will allow you to designate a directory
on the gateway computer as a DMZ.
Once you have a firewall in place, you should test it. A great way to do this is to go to www.grc.com and try their free Shields Up! security test. You will get immediate feedback on just how secure your system is!
|